3 Tips for Improving Your Security Awareness Training

It’s a well-known fact that the most significant security vulnerability at any company isn’t a technical flaw — it’s human error. Cybercriminals know this truth all too well, which is why 43 percent of documented breaches involve social engineering attacks, according to the 2017 Verizon Data Breach Investigation Report.

Educating your customers about recognizing (and not falling for) phishing emails and other social engineering attacks is unmistakably imperative. But, many security awareness training programs do very little to move the social engineering awareness needle in a positive direction. To help your MSP avoid this trap, be sure to incorporate the following tips.

1. Use real (and current) phishing examples. Telling users to be more vigilant about opening messages from unknown sources doesn’t provide enough insight to protect users from today’s sophisticated threats. A better approach is to share real-life examples and point out the tell-tale signs of a phishing scheme. The University of California (UC) Berkeley has a site called The Phish Tank that contains several "recent examples of phishing emails received on campus," along with details about what makes the email a phishing message, which MSPs could use.

2. Promote user engagement. Getting users actively involved in the social engineering prevention process is a critical component of an effective program, and several studies show that gamification is the best way to increase employee engagement. One way that gamification can be included in your awareness program is by training users to forward suspicious emails to IT before deleting the messages from their inboxes and adding an incentive to the process. Incentives can range from something as simple as company-wide recognition from a manager or other principal stakeholder to earning an entry into a monthly cash/prize drawing. The point to remember with gamification is that people get more involved in activities when they feel like their efforts are being recognized.

3. Incorporate simulation tests. To gauge the effectiveness of your security awareness program, you’ll need to test your subjects; but, administering a 10-question multiple choice quiz at the end of a presentation isn’t enough. A much better way to ensure users understand your message is by incorporating simulation testing. Simulation testing entails putting users in a realistic environment (e.g., sitting at a computer workstation checking emails) and observing their choices. During a training session, however, everyone’s going to be much more alert than on a Monday morning when no one’s looking over their shoulder. And, that’s why simulation testing should continue after a formalized training session, at random times. For example, on a Tuesday at 1 p.m. a designated group of users could be sent a mock phishing email with a link or attachment that if clicked presents a pop-up window notifying the user what would have happened had the email been an actual phishing email. At the same time, an IT person or manager could be informed of anyone failing the test and can use the opportunity to educate the employee about what they did wrong and how to avoid the slipup in the future.

If the last few years are any indicator of the future, we’re going to see a lot more ransomware and other malware attacks in the workplace. Providing comprehensive email protection and other network security measures will continue to be vital elements in the data protection equation. However, it's also going to be more important than ever to ensure your customers are doing their parts to avoid taking the bait cybercriminals use to quickly bypass these security defenses and gain access to what they want most – your customers' valuable data.

Chris Crellin is Senior Director of Product Management for Barracuda MSP, a provider of security and data protection solutions for managed services providers, where he is responsible for leading product strategy and management.